1. Field of the Invention
The present disclosure relates to verification of user identity. More specifically, the present disclosure relates to verification of user identity based on recorded user behavior history.
2. Related Art
The increased popularity of the Internet has changed modern life significantly. Many conventional activities have been transferred to the Internet. Internet users use the Internet to conduct daily activities such as shopping, banking, and even social activities. For reasons of security and confidentiality, when using a web service, a user is often required by the website to set up a password-protected user account. A user is authenticated by the web server using his password each time he accesses his account.
However, such a password-based authentication is either not sufficiently secure or cumbersome to users. A user's password can be obtained by malicious intruders, who can easily impersonate the user using the hacked password. On the other hand, a user may want to select a long and complicated password to reduce the likelihood of it being hacked. However, a long and complicated password becomes difficult for the user to remember, especially in the case when a user holds a number of accounts each having a unique password.
Once in a while a user may forget the password for his account and will need the website to reset the password. Before the website resets a user's password, the website verifies the identity of the user. In order to facilitate user identity verification, when setting up an account, a user is often required to manually input answers to a set of simple questions, sometimes referred to as security questions or challenges. For example, the user may need to input his mother's maiden name, the name of his childhood pet, or the name of the high school he attended. Such information is then stored in the user's profile. When the user requests password resetting, the website will ask him the same set of questions. By comparing the user's instant answer with information stored in his profile, the website can determine if the user requesting the password resetting is indeed the original user who set up the account.
Such an approach has several drawbacks. First, the answers to many questions might be easily guessable. For example, due to limited numbers of popular names for pets, an intruder may correctly guess the name of the first pet of the legitimate user. Second, the answers to some questions might be hard to remember, such as the name of the user's first teacher. In addition, answers to many common questions, such as high school attended, might be available to intruders by searching the user's public record. Examples of public records include the user's résumé posted online, or, the user's profile in an online social network. Therefore, asking simple short questions during user registration is not sufficiently secure for user identity verification.
To overcome the limitations of asking simple short questions, one approach is to present a user with an extended list of personality-related, yes-and-no questions, including his preference for certain items, such as certain kinds of food or a particular type of sport (see M. Jakobsson, L. Yang, and S. Wetzel. “Quantifying the Security of Preference-based Authentication” DIM'08.) Answers to these questions are easy to remember for a user but difficult to guess for an intruder. In general, the longer the list, the more difficult it is for an intruder to impersonate the user. Similar to inputting his mother's maiden name, a user is required to manually input the answers to the long list of yes-and-no questions while setting up the account. Although he may select his answers by clicking the mouse, answering a long list of questions is still burdensome. Furthermore, the user's personal preferences may change over time.
What is needed is a method to facilitate verification of a user's identity during password resetting in a secured manner without requiring the user to manually input user information while setting up the account.